The State could be facing multimillion euro payouts after it was found to have illegally retained the personal data of 3.2m people in the rollout of its Public Services Card (PSC).
After a 20-month investigation, the Data Protection Commissioner (DPC), Helen Dixon, found that the expansion of the card’s remit to other State services from its social welfare origins is illegal under data protection legislation.
Given the huge number of citizens who hold a card and the social protection department’s now stated dubious legal standing on the issue, it has been speculated that under the EU’s General Data Protection Regulation (GDPR), the State could be liable for damages totalling hundreds of euro per person for each of the 3.2m cardholders.
“It could run into tens of millions in terms of liability, if you had that many people taking a case en masse,” said Fred Logue, principal solicitor with privacy specialists FP Logue.
“You would have to look at the finding with regard to the unlawful processing,” he said, stressing that the DPC’s decision had been arrived at under legislation predating the 2018 Data Protection Act.
I would be wondering why such a lengthy investigation had taken place with regard to a legal regime that has ceased to exist.
Ms Dixon ordered the Department of Employment Affairs and Social Protection, the State body with principal responsibility for administering the card, to delete the historic personal information — such as utility bills or other proofs of residence — it holds on all holders of a PSC. She gave the department 42 days to come up with an implementation plan.
Ms Dixon also said the department must indicate within seven days whether or not the actual report will be published in full.
The findings are a hammer blow to the PSC project, which has faced accusations of illegality from a data protection point of view since its inception in 2011, and particularly since the Government sought to expand the card’s remit to other services, such as applying for a driving licence, in early 2017.
The DPC’s announcement is likely to place extreme pressure on Social Protection Minister Regina Doherty, who has been one of the card’s staunchest defenders over the period of the investigation.
Ms Doherty briefly responded to the controversy yesterday, telling RTÉ News: “We have been considering them [the report’s findings] since yesterday, and we’ll reach a decision and say more as quickly as we possibly can.”
Those who had been campaigning against the card welcomed the move by the commissioner.
“It’s been a very long road, one which saw a small number of people working very hard towards this goal,” said Elizabeth Farries, information rights project manager with the Irish Council for Civil Liberties.
“It’s a cause to celebrate. The findings show that there is something very serious to worry about here.”
However, Ms Farries sounded a note of caution.
“It’s not clear that we’ll actually see the report, and it’s really truly important that it is published.”
Digital Rights Ireland (DRI), the privacy advocacy group which has repeatedly challenged the nature of the Public Services Card with the commissioner, welcomed the report but stressed that much blame for the adverse findings must rest with the public service.
“The blame is not just with the politicians, it lies with civil servants,” said Antoin Ó Lachtnain, director of DRI. “I don’t think they ever understood the implications of what they were doing or of GDPR, and that is an extremely serious matter in terms of how all public administration is run.
“You could be talking about an absolutely massive claim, hundreds for each cardholder. The risks were enormous, and the real problem is that the Government did this knowingly.”